Encryption - Advanced Encryption Standard

AES is a block cipher arranging data in a 4x4 grid 128bits (16 bytes) taking these 128 bits of data and encrypting it into a 128bits of ciphertext.

| b00 | b04 | b08 | b12 |
| b01 | b05 | b09 | b13 |
| b02 | b06 | b10 | b14 |
| b03 | b07 | b11 | b15 |

Using the same key for both encryption and decryption.

Keys can have different size 128, 192 and 256 bits offering increasing security. Their length impacts the number of rounds necessary 10,12 and 14 respectively.

The differents steps of the algorithm use substitution to bring confusion and permutation to add diffusion.

AES implementation both software and hardware. The latter ensuring fast encryption and decryption.

A finite or Galois field has a number of elements and some operations with results from operations made on these elements being themselves within the field. In this context the field GF(2⁸) has elements from 00000000 to 11111111 and the operations + - * x^-1.

AES in 128bits symmetric block cipher taking 128 bits of data and encrypts it in a 128bits of cipher text with keys of different length 128, 192 or 256bits. Being a block cipher data is arrange into 4x4 grind of 128bits (or 16bytes). The 16bytes of data are then transformed into ciphertext using substitutions and permutations. The number of rounds needed depend on the key length; 10, 12, 14 for keys of 128, 192, 256 bits respectively.

Original key expanded
using key scheduler
into round keys (k0..kn)

         plaintext
k0       xor
    subbytes                     --  1 round
    shiftrows                      | (128bits 10 rounds
    mixcolumns (expect last round) | 192bits 12 rounds
kn  add round keys               --  256bits 14 rounds)
         ciphertext

The key is expanded by a key scheduler into a series of round keys use at each stage.

A round key is mixed with the data using a bitwise exclusive OR (XOR) operation. In each round this operation happens last, at the exception of the first one where it is mixed with plaintext data.

| XOR | 0 | 1 |
|  0  | 0 | 1 |
|  1  | 1 | 0 |

The substitution is based on an efficient method, a lookup table where each byte is mapped to a different one without any fixpoint. A byte cannot be replaced by itself (eg. 01100110 cannot be mapped to 01100110). Nor is it possible to have opposite fixed point where bits are flipped (eg. 01100110 cannot be mapped to 10011001).

| b00 | b04 | b08 | b12 |
| b01 | b05 | b09 | b13 |
| b02 | b06 | b10 | b14 |
| b03 | b07 | b11 | b15 |

Apply the substitution using the lookup table

| s(b00) | s(b04) | s(b08) | s(b12) |
| s(b01) | s(b05) | s(b09) | s(b13) |
| s(b02) | s(b06) | s(b10) | s(b14) |
| s(b03) | s(b07) | s(b11) | s(b15) |

The first part of the permutation shifts rows with no changes to the first one, 1 left shift to the second one, 2 to the third one and 3 to the fourth one.

| b00 | b04 | b08 | b12 | <- no shift
| b01 | b05 | b09 | b13 | <- 1 left shift
| b02 | b06 | b10 | b14 | <- 2 left shifts
| b03 | b07 | b11 | b15 | <- 3 left shifts

Apply shift.

| b00 | b04 | b08 | b12 |
| b05 | b09 | b13 | b01 |
| b10 | b14 | b02 | b06 |
| b15 | b03 | b07 | b11 |

The second part of the permutation mixes columns using matrix multiplication. The numbers present in the matrix has been chosen to be small enough to be fast and disperse sufficiently to mix the data. In this context the addition is an XOR operation and multiplication happens within the field. This step happens on each round at the exception of the last one.

| b00 | b04 | b08 | b12 |
| b05 | b09 | b13 | b01 |
| b10 | b14 | b02 | b06 |
| b15 | b03 | b07 | b11 |

Multiply successively each column with the following matrix.

| 2 | 3 | 1 | 1 |
| 1 | 2 | 3 | 1 |
| 1 | 1 | 2 | 3 |
| 3 | 1 | 1 | 2 |

To obtain,

| 2b00+3b05+b10+b15 | 2b04+3b09+b14+b03 | 2b08+3b13+b02+b07 | 2b12+3b01+b06+b11 |
| b00+2b05+3b10+b15 | b04+2b09+3b14+b03 | b08+2b13+3b02+b07 | b12+2b01+3b06+b11 |
| b00+b05+2b10+3b15 | b04+b09+2b14+3b03 | b08+b13+2b02+3b07 | b12+b01+2b06+3b11 |
| 3b00+b05+b10+2b15 | 3b04+b09+b14+2b03 | 3b08+b13+b02+2b07 | 3b12+b01+b06+2b11 |